NSA, CISA partner for guide on safe VPNs amid widespread exploitation by nation-states

The US agencies released the guides as threats targeting VPNs continue to grow.

The NSA and CISA have released a detailed guide on how people and organizations should choose virtual private networks (VPN) as both nation-states and cybercriminals ramp up their exploitation of the tools amid a global shift to remote work and schooling.

The nine-page fact sheet also includes details on ways to deploy a VPN securely. The NSA said in a statement that the guide would also be helpful to leaders in the Department of Defense, National Security Systems and the Defense Industrial Base so that they can "better understand the risks associated with VPNs."

The NSA said multiple nation-state APT actors have weaponized common vulnerabilities and exposures to gain access to vulnerable VPN devices, allowing them to steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions and read sensitive data from a device. 

NSA director Rob Joyce told the Aspen Cybersecurity Summit this week that "multiple nation-state actors are leveraging CVEs to compromise vulnerable Virtual Private Networks devices."

He wrote on Twitter that VPN servers are entry points into protected networks, making them attractive targets. 

"APT actors have and will exploit VPNs -- the latest guidance from NSA and @CISAgov can help shrink your attack surface. Invest in your own protection!" he added. 

CISA director Jen Easterly echoed Joyce's remarks, sharing the same message about nation-state exploitation. 

The notice included a list of "tested and validated" VPN products on the National Information Assurance Partnership Product Compliant List, many of which use multi-factor authentication and promptly apply patches and updates. 

Experts lauded CISA and the NSA for creating the list. Chester Wisniewski, a principal research scientist at Sophos, told ZDNet that for too long, there has not been a trusted voice on VPNs without a vested interest in selling you something. 

"Combining the knowledge and experience of the NSA with CISA's remit of helping protect the US private sector puts them in a good position to provide trusted advice on staying safe against criminal actors," Wisniewski said. 

He noted that the advice is largely copied from suggestions provided to defense contractors and similar entities. 

"It is great advice, but incredibly complicated and burdensome for most commercial entities. None of what's said is wrong, but it requires a lot of forethought and a lot of process to comply with," Wisniewski added. 

"Most organizations are incapable of following much of the advice. Doing VPNs right is really hard, as demonstrated in this document, so I would urge organizations to pursue zero trust network access and SD-WAN as a more practical way of achieving similar goals. Rather than rebuild your entire VPN strategy to remain doing it the old way, you may as well spend the same time/resources to modernize your approach to remote access and reap the benefits rather than simply shore up the old way."

Untangle senior vice president Heather Paunet noted that cyberattacks on VPNs are very costly due to potential ransoms or data accessed, as seen with the Pulse Secure VPN exploit in April that compromised government agencies and companies in the US and Europe.

While there has been a rise in vulnerabilities of VPNs due to more VPN usage over the last year and a half, newer VPN technologies with newer types of cryptography are evolving to ensure the protection of information transmitted across the internet, Paunet said, noting popular tools like WireGuard VPN that use cryptography. 

"What is missing from the guidelines are taking the human element into consideration. Along with following the strict guidelines, IT professionals are also challenged with getting employees to effectively use the technology. If the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off," Paunet said. 

"The challenge for IT professionals is to find a VPN solution that fits the guidelines, but is also fast and reliable so that employees turn it on once and forget about it."

Archie Agarwal, CEO at ThreatModeler, noted that a quick search on the Shodan search engine reveals over a million VPNs on the Internet in the US alone, providing a doorways to private sensitive internal networks that are sitting exposed to the world for anyone to try to break through. 

"These represent the old perimeter security paradigm and have failed to protect the inner castle over and again. If credentials are leaked or stolen, or new vulnerabilities discovered, the game is lost and the castle falls," Agarwal said.